||Th, 3:15 - 5:05, Gates 159
||CR/NC or letter
Advanced topics class on cryptanalysis of symmetric and public-key
primitives and protocols. We will cover recent collision-finding attacks
on hash functions, differential and linear cryptanalysis of block ciphers,
number-theoretic and lattice-based methods of attacking public-key
cryptosystems. CS255 is a prerequisite, although most of the lectures will
Here is a tentative plan of the course. It will be updated as the
||Hash functions. Attacks exploiting the Merkle-Damgard structure (poisoned block, Joux's attack), review of recent collision-finding attacks on MD4,MD5,SHA-0,1. Dobbertin's attack on MD4.|
||Hash functions: Theory, attacks, and applications.
||Example of two .ps files colliding under MD5 (based on M. Daum and S. Lucks files): taxes.ps and broccoli.ps. MD5 calculator is here.
||Birthday paradox: non-uniform case, memoryless algorithms (Floyd, Brent cycle-finding algorithms), parallelization. Random mapping statistics.
Time-memory tradeoffs: permutation, Hellman's, distinguished points, stream ciphers, Fiat-Naor analysis.
||Differential & linear cryptanalyses of DES. Differentials, characteristics, Matsui's piling-up lemma, structures.
||Perfectly non-linear functions. Decorrelation module. Boomerang attack. Non-linearity of inversion.
||AES. BES. XSL.
||Stream ciphers. LFSRs. Berlekamp-Massey algorithm. Correlation attack. Combiners: Geffe's, summation. Shrinking generator.
||James L. Massey, "Shift-register synthesis and BCH decoding," IEEE Trans. on Information Theory, vol. 15(1), pp. 122-127, Jan 1969.
||Dlog and factoring: generic algorithms (baby-step giant-step, Pollard's rho and lambda), index calculus, quardratic sieve. TWINKLE and mesh-based algebraic step.
||Cryptanalysis of public-key cryptosystems: lattices, Bleichenbacher's attack, short RSA exponent.
||Side-channel attacks: timing attacks against RSA, AES; acoustic attack). Fault attacks: RSA, LFSR.